[16946] in cryptography@c2.net mail archive
RE: SHA1 broken?
daemon@ATHENA.MIT.EDU (Trei, Peter)
Tue Feb 22 11:47:24 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 17 Feb 2005 19:56:07 -0500
From: "Trei, Peter" <ptrei@rsasecurity.com>
To: "Dave Howe" <DaveHowe@gmx.co.uk>,
"Cypherpunks" <cypherpunks@al-qaeda.net>,
"Cryptography" <cryptography@metzdowd.com>
Actually, the final challenge was solved in 23 hours, about
1/3 Deep Crack, and 2/3 Distributed.net. They were lucky, finding
the key after only 24% of the keyspace had been searched.
More recently, RC5-64 was solved about a year ago. It took
d.net 4 *years*.=20
2^69 remains non-trivial.
Peter
-----Original Message-----
From: owner-cypherpunks@minder.net on behalf of Dave Howe
Sent: Thu 2/17/2005 5:49 AM
To: Cypherpunks; Cryptography
Subject: Re: SHA1 broken?
=20
Joseph Ashwood wrote:
> I believe you are incorrect in this statement. It is a matter of =
public
> record that RSA Security's DES Challenge II was broken in 72 hours by=20
> $250,000 worth of semi-custom machine, for the sake of solidity let's=20
> assume they used 2^55 work to break it. Now moving to a completely=20
> custom design, bumping up the cost to $500,000, and moving forward 7=20
> years, delivers ~2^70 work in 72 hours (give or take a couple orders =
of=20
> magnitude). This puts the 2^69 work well within the realm of =
realizable=20
> breaks, assuming your attackers are smallish businesses, and if your=20
> attackers are large businesses with substantial resources the break =
can=20
> be assumed in minutes if not seconds.
>=20
> 2^69 is completely breakable.
> Joe
Its fine assuming that moore's law will hold forever, but without=20
that you can't really extrapolate a future tech curve. with *todays*=20
technology, you would have to spend an appreciable fraction of the=20
national budget to get a one-per-year "break", not that anything that=20
has been hashed with sha-1 can be considered breakable (but that would=20
allow you to (for example) forge a digital signature given an example)
This of course assumes that the "break" doesn't match the criteria=20
from the previous breaks by the same team - ie, that you *can* create a=20
collision, but you have little or no control over the plaintext for the=20
colliding elements - there is no way to know as the paper hasn't been=20
published yet.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
